In 1965, one of the most influential bands of our times was formed.. Pink
Floyd. This boot2root box has been created to celebrate 50 years of Pink
Floyd’s contribution to the music industry, with each challenge giving the
attacker an introduction to each member of the Floyd.
WireShark was used to expose an ARP broadcast for TCP: 1337, a netcat listener was setup on port 1337.
The target machine connected with the following message:
After the machine successfully connected to the netcat listener the following
services were discovered with Nmap.
OpenSSH 7.0 (protocol 2.0)
Interrogation of the page source revealed a code comment with an ASCII encoded string:
Decoding revealed the MD5 hash:steg=33115730dbbb370fcbe9720fe632ec05
The discovered hash was cracked with Hashcat:
Install steghide on kali: apt-get install -y steghide
The steghide command steghide extract -sf pink_floyd.jpg was used to extract data from images with hidden
information retained within them (steganography). Entering the previously
cracked password divisionbell disclosed another message containing
a base64 encoded string and another md5 hash.
The discovered account credentials above allowed access to an SFTP server on
the target machine.
The file eclipsed_by_the_moon was downloaded for further
Fatcat FAT16 Forensics Tool
The file command was leveraged to disclose the following information about the
previously retrived file ecslipsed_by_the_moon.
Research discovered Fatcat a forensics tool used for
recovering / extracting data from FAT16 images.
The following command was used to extract a deleted image file from the FAT16
Viewing the image disclosed the users password:
A non privileged SSH shell was established using the previously discovered
The uppercase characters in the username were guessed from the previous username pattern.
Local System Enumeration
Enumeration of the system discovered the SUID binary: /usr/local/bin/brick
Running the suid binary and answering the question correctly with Nick Mason change the current user to “NickMason”.
Local enumeration of nick_mason_profile_pic.jpg discovered the file was an .ogg audio file containing morsecode data.
Extracting Morse Code Data
The ogg file contained morse code data with music playing at the same time over
both stereo channels.
Audacity was used with a low high pass filter to help remove as much of the
lower frequency music as possible, making the higher frequency morse code tones
easier to hear.
Sonic Visualiser was used in addition to help visualise the morse code dots and
Morse Code Decoded
su - RichardWright was possible using the above credentials.
Local enumeration discovered the SUID binary
/usr/local/bin/shineon, running the binary through
strings discovered it called the program mail without
specifying the absolute path.
The following file was created:
Changed directory to /tmp and PATH set to .
Execution of option 4 executed the mail script successfully.
With euid set, enumeration of DavidGimours home dir was possible.
Running strings on david_gilmour_profile.jpg revealed the users
URL also disclosed via Apache config
The web app URL was also disclosed at /etc/httpd.conf.orig
Viewing anotherbrick.txt revealed the following:
Web Application Enumeration
Enumeration of the above web application exposed a code comment riddle:
The area of the image near the dog revealed some text strings. Using
Image Magik the brightness was increased to dislcose the strings
Searching for the string welcomethemachine discovered the
following binary /var/www/htdocs/welcometothemachine/PinkFloyd.